pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/trunk]: pkgsrc/security/vault ## 0.8.2 (September 5th, 2017)
details: https://anonhg.NetBSD.org/pkgsrc/rev/bdebe842afc0
branches: trunk
changeset: 367742:bdebe842afc0
user: fhajny <fhajny%pkgsrc.org@localhost>
date: Wed Sep 06 11:44:07 2017 +0000
description:
## 0.8.2 (September 5th, 2017)
SECURITY:
- In prior versions of Vault, if authenticating via AWS IAM and
requesting a periodic token, the period was not properly respected.
This could lead to tokens expiring unexpectedly, or a token lifetime
being longer than expected. Upon token renewal with Vault 0.8.2 the
period will be properly enforced.
DEPRECATIONS/CHANGES:
- `vault ssh` users should supply `-mode` and `-role` to reduce the
number of API calls. A future version of Vault will mark these
optional values are required. Failure to supply `-mode` or `-role`
will result in a warning.
- Vault plugins will first briefly run a restricted version of the
plugin to fetch metadata, and then lazy-load the plugin on first
request to prevent crash/deadlock of Vault during the unseal process.
Plugins will need to be built with the latest changes in order for them
to run properly.
FEATURES:
- Lazy Lease Loading: On startup, Vault will now load leases from
storage in a lazy fashion (token checks and revocation/renewal
requests still force an immediate load). For larger installations this
can significantly reduce downtime when switching active nodes or
bringing Vault up from cold start.
- SSH CA Login with `vault ssh`: `vault ssh` now supports the SSH CA
backend for authenticating to machines. It also supports remote host
key verification through the SSH CA backend, if enabled.
- Signing of Self-Issued Certs in PKI: The `pki` backend now supports
signing self-issued CA certs. This is useful when switching root CAs.
IMPROVEMENTS:
- audit/file: Allow specifying `stdout` as the `file_path` to log to
standard output
- auth/aws: Allow wildcards in `bound_iam_principal_id`
- auth/okta: Compare groups case-insensitively since Okta is only
case-preserving
- auth/okta: Standarize Okta configuration APIs across backends
- cli: Add subcommand autocompletion that can be enabled with `vault
-autocomplete-install`
- cli: Add ability to handle wrapped responses when using `vault auth`.
What is output depends on the other given flags; see the help output
for that command for more information.
- core: TLS cipher suites used for cluster behavior can now be set via
`cluster_cipher_suites` in configuration
- core: The `plugin_name` can now either be specified directly as part
of the parameter or within the `config` object when mounting a secret
or auth backend via `sys/mounts/:path` or `sys/auth/:path` respectively
- core: It is now possible to update the `description` of a mount when
mount-tuning, although this must be done through the HTTP layer
- secret/databases/mongo: If an EOF is encountered, attempt reconnecting
and retrying the operation
- secret/pki: TTLs can now be specified as a string or an integer number
of seconds
- secret/pki: Self-issued certs can now be signed via
`pki/root/sign-self-issued`
- storage/gcp: Use application default credentials if they exist
BUG FIXES:
- auth/aws: Properly use role-set period values for IAM-derived token
renewals
- auth/okta: Fix updating organization/ttl/max_ttl after initial setting
- core: Fix PROXY when underlying connection is TLS
- core: Policy-related commands would sometimes fail to act
case-insensitively
- storage/consul: Fix parsing TLS configuration when using a bare IPv6
address
- plugins: Lazy-load plugins to prevent crash/deadlock during unseal
process.
- plugins: Skip mounting plugin-based secret and credential mounts when
setting up mounts if the plugin is no longer present in the catalog.
diffstat:
security/vault/Makefile | 4 ++--
security/vault/distinfo | 10 +++++-----
2 files changed, 7 insertions(+), 7 deletions(-)
diffs (27 lines):
diff -r 6b6537e4bc84 -r bdebe842afc0 security/vault/Makefile
--- a/security/vault/Makefile Wed Sep 06 11:32:32 2017 +0000
+++ b/security/vault/Makefile Wed Sep 06 11:44:07 2017 +0000
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.16 2017/09/06 09:03:04 wiz Exp $
+# $NetBSD: Makefile,v 1.17 2017/09/06 11:44:07 fhajny Exp $
-DISTNAME= vault-0.8.1
+DISTNAME= vault-0.8.2
CATEGORIES= security
MASTER_SITES= ${MASTER_SITE_GITHUB:=hashicorp/}
diff -r 6b6537e4bc84 -r bdebe842afc0 security/vault/distinfo
--- a/security/vault/distinfo Wed Sep 06 11:32:32 2017 +0000
+++ b/security/vault/distinfo Wed Sep 06 11:44:07 2017 +0000
@@ -1,6 +1,6 @@
-$NetBSD: distinfo,v 1.10 2017/08/17 07:58:53 fhajny Exp $
+$NetBSD: distinfo,v 1.11 2017/09/06 11:44:07 fhajny Exp $
-SHA1 (vault-0.8.1.tar.gz) = 5c03b57bdae9148fbf15a7ab3b3a7aff6456a2ba
-RMD160 (vault-0.8.1.tar.gz) = 16c31bd2607d9eed9be54c8c40bc312cb960098f
-SHA512 (vault-0.8.1.tar.gz) = d1400a203dc61d76ffb710388913b45cd5287e1215f34d3fe8e85a36c24024b0eb882b8403f44c85c863658b035a9b7f2c19cb5599cdfd21e0a79788b8d1413a
-Size (vault-0.8.1.tar.gz) = 7263861 bytes
+SHA1 (vault-0.8.2.tar.gz) = 7f313e711b4e0331b933dfa61fbbfc2b807abc5a
+RMD160 (vault-0.8.2.tar.gz) = 88f1b6d8530beb4ec3a9fbdbc138bd6f2931c93a
+SHA512 (vault-0.8.2.tar.gz) = 279056211aefbab09b6533ce5b0fea355511a84c3f21cbbae0fa08b0affd2254fcd0a9479a317d07e9b99c5a2bd6d8c9caa5c32f14f73b21d8c4be3f24345669
+Size (vault-0.8.2.tar.gz) = 7293367 bytes
Home |
Main Index |
Thread Index |
Old Index